heroui logo

Splunk Enterprise PostgreSQL Backup-to-Restore Potential RCE Sequence

Elastic Detection Rules

View Source
Summary
This rule detects a two-event HTTP POST sequence targeting Splunk Enterprise PostgreSQL recovery endpoints from the same source within a 15-minute window: a POST to the backup endpoint followed by a POST to the restore endpoint on the same host. The pattern aligns with the public CVE-2026-20253 pre-authentication RCE chain, where an attacker may stage a PostgreSQL dump via the backup path and then execute attacker-controlled SQL through the restore path. It ingests network-level data (HTTP requests) from network sensors such as Zeek and Suricata or Elastic network_traffic integrations to correlate the two POST requests to the backup and restore endpoints on the same Splunk host. The detection logic filters for POST requests to paths matching the backup and restore endpoints, marks whether the request is a backup or restore, and computes the time between the first and last matching events. A successful sequence requires at least one backup and one restore in under 15 minutes. The workflow is mapped to MITRE ATT&CK: T1190 Exploit Public-Facing Application, under Initial Access (TA0001). The rule includes risk and remediation guidance, false positives handling, and recommended mitigations such as patching to SVD-2026-0603 and network isolation if exploitation is confirmed.
Categories
  • Network
Data Sources
  • Network Traffic
ATT&CK Techniques
  • T1190
Created: 2026-06-15